How expand domain subnet?

We currently have a 192.168.1/24 LAN with 2 fixed-IP Win2K3 DCs (AD
integrated, both WINS and DHCP), a fixed-IP PIX firewall, and dynamic-IP XP
workstations, and VPN clients (managed by PIX firewall).

I want to expand this to a 192.168.0/26 LAN, and believe the necessary steps
are:

1) Configure the primary DC TCP/IP to use 255.255.252.0 mask, repeat for
secondary DC.

2) Configure DHCP on each DC to use 192.168.0/26 scope, with non-overlapping
lease pools (192.168.2/24, 192.168.3/24)

3) Expand inside subnet of PIX firewall to 192.168.0/26

Is it this simple, or have I overlooked something?

Later I wish to add further firewalls, each with own ADSL link. To assign
users to a particular firewall, I assume easiest method is to assign them to
OUs with different logon scripts, which overwrite the DHCP-assigned gateway
by means of a 'route add 0.0.0.0' command.

TIA,
--
Newell White

No.

Add a new segment. Don't create segments larger than /24. Keep the maximum
number of hosts per segment to 250-300,...which is what the /24 does with
254 hosts. Ethernet begins to loose efficiency with too many hosts.

If you need more, create a new segment and place a LAN Router between the
segments.


--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"Newell White" <(E-Mail Removed)> wrote in message
news:666F68C3-FA7C-4ED1-8D1C-(E-Mail Removed)...
> We currently have a 192.168.1/24 LAN with 2 fixed-IP Win2K3 DCs (AD
> integrated, both WINS and DHCP), a fixed-IP PIX firewall, and dynamic-IP
> XP
> workstations, and VPN clients (managed by PIX firewall).
>
> I want to expand this to a 192.168.0/26 LAN, and believe the necessary
> steps
> are:
>
> 1) Configure the primary DC TCP/IP to use 255.255.252.0 mask, repeat for
> secondary DC.
>
> 2) Configure DHCP on each DC to use 192.168.0/26 scope, with
> non-overlapping
> lease pools (192.168.2/24, 192.168.3/24)
>
> 3) Expand inside subnet of PIX firewall to 192.168.0/26
>
> Is it this simple, or have I overlooked something?
>
> Later I wish to add further firewalls, each with own ADSL link. To assign
> users to a particular firewall, I assume easiest method is to assign them
> to
> OUs with different logon scripts, which overwrite the DHCP-assigned
> gateway
> by means of a 'route add 0.0.0.0' command.
>
> TIA,
> --
> Newell White

As an aside, that would be a 22-bit subnet, not a 26-bit. A 26-bit
subnet would reduce the number of possible clients to 62 .

192.168.1.0/24 represents the subnet containing the addresses
192.168.1.1 through 192.168.1.254 . The 24-bit subnet mask is 255.255.255.0
.. 192.168.1.0/26 represents the subnet containing the addresses 192.168.1.1
through 192.168.1.62 . The subnet mask is 255.255.255.192 . An address like
192.168.1.73 would be in the next IP subnet of 192.168.1.64/26 .

I agree with Phillip. Stay with /24 . If you want groups of machines
to use different gateways, put them in their own 24-bit subnet and and point
them to a gateway in that subnet. If you want these groups to see each
other, route between the segments/subnets.

"Phillip Windell" <@.> wrote in message
news:(E-Mail Removed)...
> No.
>
> Add a new segment. Don't create segments larger than /24. Keep the
> maximum number of hosts per segment to 250-300,...which is what the /24
> does with 254 hosts. Ethernet begins to loose efficiency with too many
> hosts.
>
> If you need more, create a new segment and place a LAN Router between the
> segments.
>
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
> "Newell White" <(E-Mail Removed)> wrote in message
> news:666F68C3-FA7C-4ED1-8D1C-(E-Mail Removed)...
>> We currently have a 192.168.1/24 LAN with 2 fixed-IP Win2K3 DCs (AD
>> integrated, both WINS and DHCP), a fixed-IP PIX firewall, and dynamic-IP
>> XP
>> workstations, and VPN clients (managed by PIX firewall).
>>
>> I want to expand this to a 192.168.0/26 LAN, and believe the necessary
>> steps
>> are:
>>
>> 1) Configure the primary DC TCP/IP to use 255.255.252.0 mask, repeat for
>> secondary DC.
>>
>> 2) Configure DHCP on each DC to use 192.168.0/26 scope, with
>> non-overlapping
>> lease pools (192.168.2/24, 192.168.3/24)
>>
>> 3) Expand inside subnet of PIX firewall to 192.168.0/26
>>
>> Is it this simple, or have I overlooked something?
>>
>> Later I wish to add further firewalls, each with own ADSL link. To assign
>> users to a particular firewall, I assume easiest method is to assign them
>> to
>> OUs with different logon scripts, which overwrite the DHCP-assigned
>> gateway
>> by means of a 'route add 0.0.0.0' command.
>>
>> TIA,
>> --
>> Newell White
>
>

Thanks for advice on best practice, and correcting my IP terminology.

But if my LAN was going to contain less than 200 Ethernet nodes, would my
proposed scheme work, and with reasonable efficiency?
--
Newell White


"Bill Grant" wrote:

> As an aside, that would be a 22-bit subnet, not a 26-bit. A 26-bit
> subnet would reduce the number of possible clients to 62 .
>
> 192.168.1.0/24 represents the subnet containing the addresses
> 192.168.1.1 through 192.168.1.254 . The 24-bit subnet mask is 255.255.255.0
> .. 192.168.1.0/26 represents the subnet containing the addresses 192.168.1.1
> through 192.168.1.62 . The subnet mask is 255.255.255.192 . An address like
> 192.168.1.73 would be in the next IP subnet of 192.168.1.64/26 .
>
> I agree with Phillip. Stay with /24 . If you want groups of machines
> to use different gateways, put them in their own 24-bit subnet and and point
> them to a gateway in that subnet. If you want these groups to see each
> other, route between the segments/subnets.
>
> "Phillip Windell" <@.> wrote in message
> news:(E-Mail Removed)...
> > No.
> >
> > Add a new segment. Don't create segments larger than /24. Keep the
> > maximum number of hosts per segment to 250-300,...which is what the /24
> > does with 254 hosts. Ethernet begins to loose efficiency with too many
> > hosts.
> >
> > If you need more, create a new segment and place a LAN Router between the
> > segments.
> >
> >
> > --
> > Phillip Windell [MCP, MVP, CCNA]
> > www.wandtv.com
> >
> >
> > "Newell White" <(E-Mail Removed)> wrote in message
> > news:666F68C3-FA7C-4ED1-8D1C-(E-Mail Removed)...
> >> We currently have a 192.168.1/24 LAN with 2 fixed-IP Win2K3 DCs (AD
> >> integrated, both WINS and DHCP), a fixed-IP PIX firewall, and dynamic-IP
> >> XP
> >> workstations, and VPN clients (managed by PIX firewall).
> >>
> >> I want to expand this to a 192.168.0/26 LAN, and believe the necessary
> >> steps
> >> are:
> >>
> >> 1) Configure the primary DC TCP/IP to use 255.255.252.0 mask, repeat for
> >> secondary DC.
> >>
> >> 2) Configure DHCP on each DC to use 192.168.0/26 scope, with
> >> non-overlapping
> >> lease pools (192.168.2/24, 192.168.3/24)
> >>
> >> 3) Expand inside subnet of PIX firewall to 192.168.0/26
> >>
> >> Is it this simple, or have I overlooked something?
> >>
> >> Later I wish to add further firewalls, each with own ADSL link. To assign
> >> users to a particular firewall, I assume easiest method is to assign them
> >> to
> >> OUs with different logon scripts, which overwrite the DHCP-assigned
> >> gateway
> >> by means of a 'route add 0.0.0.0' command.
> >>
> >> TIA,
> >> --
> >> Newell White
> >
> >
>
>
>

"Newell White" <(E-Mail Removed)> wrote in message
news89F9D29-6F4B-4B0D-B2B5-(E-Mail Removed)...
> Thanks for advice on best practice, and correcting my IP terminology.
>
> But if my LAN was going to contain less than 200 Ethernet nodes, would my
> proposed scheme work, and with reasonable efficiency?

Which particular part of the scheme? I don't think it is clear what you are
even thinking.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

I merely wish to expand our domain subnet, not because we want 1000 nodes,
but to allow:

100% redundancy between the two DHCP servers - I have never seen how the
oft-quoted 80-20 rule helps if a server goes down. Giving pool 192.168.2.x to
one, and 192.168.3.x to the other achieves this.

Ability to put fixed-IP devices on 192.168.1.x (accessible through the
split-tunnel VPN defined in Cisco PIX) or 192.168.0.x (inaccessible).

In a small company with 2 servers I do not have the resources to set up a
laboratory LAN :-(, which would have allowed me to answer my own question.
--
Newell White


"Phillip Windell" wrote:

>
> "Newell White" <(E-Mail Removed)> wrote in message
> news89F9D29-6F4B-4B0D-B2B5-(E-Mail Removed)...
> > Thanks for advice on best practice, and correcting my IP terminology.
> >
> > But if my LAN was going to contain less than 200 Ethernet nodes, would my
> > proposed scheme work, and with reasonable efficiency?
>
> Which particular part of the scheme? I don't think it is clear what you are
> even thinking.
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
>
>
>

"Newell White" <(E-Mail Removed)> wrote in message
news:51CE22E7-06E6-4812-ABDD-(E-Mail Removed)...
> 100% redundancy between the two DHCP servers - I have never seen how the
> oft-quoted 80-20 rule helps if a server goes down.

I never believed in 80/20. Use 50/50.
Configure the two DHCPs indentically (...*identically*...).
Use the Full IP Range in the Scope.
Then use the Exclusions to adjust so that one machine gives out the first
half of the addresses, while the second one gives out the second half of the
addresses. If one DHCP dies and won't be backup for a while, you just
remove the Exclusion on the "live" one so that it gives out all the
addresses. When the other is fixed, put the Exclusion back again the way
they were.
**Note:** There is no Automatic Redundancy,...it doesn't exist,...you have
to manually alter the Exclusions of one goes down, and then you have to
manually put them back the way they were afterwards.

> Giving pool 192.168.2.x to one, and 192.168.3.x to the other achieves
> this.

Not it does not. Not at all. That creates two segments on the same wire
(Multi-Net) and creates a situation where the Hosts on one cannot talk to
the hosts on the other unless you configure a router to function between
them. Without the Router every client would have to be manually configured
to use its own IP# as the Default Gateway which you can't do with DHCP.
Using their own IP# as the DFG causes them to take anything destined for
another segment and just "drop it on the wire" and since everything is on
the same wire the packet will be found. However this just takes one complex
convoluted mess and makes a bigger complex convoluted mess.

> Ability to put fixed-IP devices

Have separate Exclusions (not those mentioned above) that are identical on
both DHCP Servers for addresses that should never be given out by DHCP. The
Exclusions would never be changed if one DHCP went down.

> on 192.168.1.x (accessible through the
> split-tunnel VPN defined in Cisco PIX) or 192.168.0.x (inaccessible).

I have no idea what you mean by that.

> In a small company with 2 servers I do not have the resources to set up a
> laboratory LAN :-(, which would have allowed me to answer my own question.

VirtualPC and Virtual Server are free, but takes a fast CPU and about 2 gig
of ram to create much of a "lab". But I don't know anyway to create much of
a test for this with these products in this particular case.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

"Phillip Windell" <@.> wrote in message
news:(E-Mail Removed)...
> "Newell White" <(E-Mail Removed)> wrote in message
> news:51CE22E7-06E6-4812-ABDD-(E-Mail Removed)...
>> 100% redundancy between the two DHCP servers - I have never seen how the
>> oft-quoted 80-20 rule helps if a server goes down.
>
> I never believed in 80/20. Use 50/50.
> Configure the two DHCPs indentically (...*identically*...).
> Use the Full IP Range in the Scope.
> Then use the Exclusions to adjust so that one machine gives out the first
> half of the addresses, while the second one gives out the second half of
> the addresses. If one DHCP dies and won't be backup for a while, you just
> remove the Exclusion on the "live" one so that it gives out all the
> addresses. When the other is fixed, put the Exclusion back again the way
> they were.
> **Note:** There is no Automatic Redundancy,...it doesn't exist,...you have
> to manually alter the Exclusions of one goes down, and then you have to
> manually put them back the way they were afterwards.
>
>> Giving pool 192.168.2.x to one, and 192.168.3.x to the other achieves
>> this.
>
> Not it does not. Not at all. That creates two segments on the same wire
> (Multi-Net) and creates a situation where the Hosts on one cannot talk to
> the hosts on the other unless you configure a router to function between
> them. Without the Router every client would have to be manually
> configured to use its own IP# as the Default Gateway which you can't do
> with DHCP. Using their own IP# as the DFG causes them to take anything
> destined for another segment and just "drop it on the wire" and since
> everything is on the same wire the packet will be found. However this
> just takes one complex convoluted mess and makes a bigger complex
> convoluted mess.
>
>> Ability to put fixed-IP devices
>
> Have separate Exclusions (not those mentioned above) that are identical on
> both DHCP Servers for addresses that should never be given out by DHCP.
> The Exclusions would never be changed if one DHCP went down.
>
>> on 192.168.1.x (accessible through the
>> split-tunnel VPN defined in Cisco PIX) or 192.168.0.x (inaccessible).
>
> I have no idea what you mean by that.
>
>> In a small company with 2 servers I do not have the resources to set up a
>> laboratory LAN :-(, which would have allowed me to answer my own
>> question.
>
> VirtualPC and Virtual Server are free, but takes a fast CPU and about 2
> gig of ram to create much of a "lab". But I don't know anyway to create
> much of a test for this with these products in this particular case.
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
Yes, VPC or virtual server is a great tool for testing network
configs. And 2G of memory is a realistic minimum figure for RAM (especially
with Longhorn/Vista needing 512M to install). I am currently running two XP
workstations with 2G RAM each to host 6 or 7 vms including Vista/Longhorn to
test various network configs.

"Bill Grant" <not.available@online> wrote in message
news:%(E-Mail Removed)...
> Yes, VPC or virtual server is a great tool for testing network
> configs. And 2G of memory is a realistic minimum figure for RAM
> (especially with Longhorn/Vista needing 512M to install). I am currently
> running two XP workstations with 2G RAM each to host 6 or 7 vms including
> Vista/Longhorn to test various network configs.

I run 2gig on my workstation and I get about 5 copies of Server2003 and 1 or
2 workstation running at the same time without problems. I don't think I
pushed it much beyond that. Mainly I keep all my various copies of ISA
Server on it for working in the ISA Server Newsgroup which is the main group
I deal with.

At home I don't have as good of hardware but I run and extra copy of XP in
it so I can use it for the Internet browsing and can dump it without saving
changes (undo disks) if it gets infected with spyware,...helps keep my main
machine clean.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Gentlemen,
I understand that you are encouraging me to follow what is generally
regarded as best practice, and I thank you for your time. But you seem to
ignore some points of my plan.
1) The LAN will occupy the IP-space 192.168.0.0 to 192.168.3.255, defined in
the server subnet masks and the IDENTICAL DHCP scopes.
2) The DHCP servers are configured to dish out non-overlapping pools of 253
addresses each. So if a server goes down, DHCP does not need reconfiguring
until I get back from holiday.
3) Because PIX firewall is set up to configure a Cisco VPN client that
contacts it to route traffic for 192.168.1.x ONLY through the tunnel, only a
portion of the LAN is accessible to VPN clients - good.

So really my question boils down to this:
Although it is unusual to have a segment of TCP/IP LAN without internal
routers bigger than 256 potential nodes, is it feasible?
And using W2k3 DCs, is it only the subnet mask of fixed-IP DCs, external
routers/firewalls, and the DHCP scope, that need revising to expand from 256
potential nodes to 1024?

Using this much IP-space for only 200 hosts may seem profligate, but the
beauty of non-routable addresses is I am not squandering a shared resource.
But it is important to restrict the aperture of the VPN tunnel, not just on
security grounds, but if the VPN client is on a 192.168.x.x LAN it uses up
their resource.

Regards
--
Newell White


"Phillip Windell" wrote:

> "Bill Grant" <not.available@online> wrote in message
> news:%(E-Mail Removed)...
> > Yes, VPC or virtual server is a great tool for testing network
> > configs. And 2G of memory is a realistic minimum figure for RAM
> > (especially with Longhorn/Vista needing 512M to install). I am currently
> > running two XP workstations with 2G RAM each to host 6 or 7 vms including
> > Vista/Longhorn to test various network configs.
>
> I run 2gig on my workstation and I get about 5 copies of Server2003 and 1 or
> 2 workstation running at the same time without problems. I don't think I
> pushed it much beyond that. Mainly I keep all my various copies of ISA
> Server on it for working in the ISA Server Newsgroup which is the main group
> I deal with.
>
> At home I don't have as good of hardware but I run and extra copy of XP in
> it so I can use it for the Internet browsing and can dump it without saving
> changes (undo disks) if it gets infected with spyware,...helps keep my main
> machine clean.
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
>